VPA-Guard: Defending and Benchmarking Image-to-Video Generation Against Visual Prompt Attacks

2026-06-24 · Source: Takara TLDR - Daily AI Papers · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

VPA-Guard is a novel retrieval-augmented and self-evolving defense framework designed to protect Image-to-Video (I2V) generation models from visual prompt attacks. These attacks exploit visual cues like arrows or emojis in input images, which models interpret as temporal instructions, leading to harmful video outputs. To address the lack of relevant safety evaluations, the authors introduce VVA-Bench, the first systematic benchmark specifically for vision-centric prompt attacks. Experiments using VVA-Bench revealed that leading I2V models are highly vulnerable, with Wan 2.7 achieving a 100.0% Attack Success Rate (ASR) and Veo 3.1 reaching 74.8% ASR. VPA-Guard effectively mitigates these risks, reducing the attack ASR by 44.2% and the harmfulness score by 73.4% on average, while maintaining the models' utility for legitimate user edits. This work provides both a rigorous evaluation tool and an effective defense strategy for safer multimodal generation.

Key takeaway

For AI Security Engineers developing or deploying Image-to-Video (I2V) generation systems, you must prioritize defense against visual prompt attacks. Your current models, including Wan 2.7 and Veo 3.1, are likely highly vulnerable to implicit visual cues leading to harmful outputs. Implement robust defense frameworks like VPA-Guard, which significantly reduces attack success rates and harmfulness, to ensure the responsible and safe operation of your multimodal generation capabilities.

Key insights

Visual prompt attacks pose a severe threat to Image-to-Video models, necessitating specialized benchmarks like VVA-Bench and defenses like VPA-Guard.

Principles

• I2V models are highly susceptible to visual prompt attacks.
• Benchmarking requires vision-centric attack categories.
• Few-shot reasoning can detect malicious visual intents.

Method

VPA-Guard is a retrieval-augmented, self-evolving defense framework that employs few-shot reasoning to identify latent malicious intents within visual prompts, thereby mitigating harmful video generation.

In practice

• Use VVA-Bench to evaluate I2V model safety.
• Implement VPA-Guard to reduce attack success rates.
• Integrate few-shot reasoning for prompt intent detection.

Topics

• Image-to-Video Generation
• Visual Prompt Attacks
• AI Safety Benchmarking
• VPA-Guard
• Multimodal AI Security
• Few-shot Reasoning

Best for: Computer Vision Engineer, Research Scientist, CTO, AI Scientist, AI Security Engineer

Related on AIssential

• Evaluating Prompting-Based Defenses Against Domain-Camouflaged Injection Attacks — Paraphrasing retrieved content is the most effective prompting-based defense against domain-camouflaged injection attacks.
• Florida International University researchers reveal how altered images can bypass AI safeguards — Microscopic image perturbations can "jailbreak" small-language AI models, bypassing safety mechanisms and generating harmful outputs.
• Controlling AI Models from the Inside — Model-native runtime analysis offers a cheaper, faster, and more robust approach to AI safety than external guardrails.
• LivePI: More Realistic Benchmarking of Agents Against Indirect Prompt Injectio — LivePI benchmarks indirect prompt injection risks in AI agents across diverse attack vectors and malicious goals.
• PolicyGuard: Towards Test-time and Step-level Adversary Defense for Reinforcement Learning Agent — PolicyGuard uses Gaussian Process posterior variance for test-time, step-level backdoor detection in reinforcement learning agents.
• Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks — Cross-modal attacks on multimodal web agents exploit dual observation channels, necessitating specialized safety training.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.